data recovery Symantec 10.3.0 drive encryption

[pcpete]

We had a desktop which would no longer boot windows. It had a failing drive. We made a sector image (nearly perfect)and it is still unbootable. It lets us put the password in to decrypt, but it give an error when trying to load the OS. Our thoughts are if we can decrypt the drive we could then run chkdsk, and try and make it bootable. Or as a last resort, we can just recover the files.

We have done some research, but I am not sure on the best way to decrypt the drive. Do we have to buy symantec encryption desktop or do one of the bootable versions that seem free on the web work. Also will the password work to decrypt it if the drive is out of the computer or would we need an actual key?Any direction on this would be appreciated. Thanks

 

[nlinecomputers]

nearly perfect)

Is not good enough. Encryption requires ALL blocks be intact if anything is damaged the entire encryption block/file/drive is lost. If you have any mangled blocks then you are wasting your time. It’s mathematically IMPOSSIBLE to recover the data.

 

[Sky-Knight]

Encryption requires proper backups...

If this was bitlocker I'd say you'd have some chance because that's built into NTFS which has a bucket of self-healing built into it. But 3rd party encryption? Nope... it's dead Jim.

People must have proper backups when working with encrypted file systems, even better... just use cloud storage and never keep data on the endpoint at all.

This situation is a stupid that cannot be fixed.

 

[nlinecomputers]

I am not so sure that is correct. I have managed to open macbook encypted drives which there were some issues. Humor me, assuming I am correct, do you have any experience with this encryption?

Mac‘s file system like NTFS has mathematical error correction if it can resolve the errors and restore the block to its undamaged state then you recover it. No doubt that‘s what happened in your mac case. It doesn’t matter what encryption system is used, if have an uncorrected error in the block you will not be able to decrypt it. Like @Sky-Knight said Symantec does not integrate with the file system. It’s one giant block.

 

[nlinecomputers]

how is that helpful. It is what it is. All we can do is make the best out of the situation. We would be out of business if we just told people you did it wrong and did nothing to help them

sometimes you have to tell the client that the patient is dead.

If you really need to recover this then it’s time to hand this off to a data recovery company that might be able to reconstruct the missing block.

 

[pcpete]

I found a bootable disk for Symantec 10.3.0 and it is trying to decrypt it. Based on what you guys are saying it does not sound hopeful. No harm in letting it run

 

[lcoughey]

I found a bootable disk for Symantec 10.3.0 and it is trying to decrypt it. Based on what you guys are saying it does not sound hopeful. No harm in letting it run

Hopefully you are decrypting the clone and not the original failing drive.

 

[pcpete]

Hopefully you are decrypting the clone and not the original failing drive.

Seriously, most of your posts just seem to be lecturing people. Did you take the time to read the thread?

yes. in fact, we paid a professional to do the image. We were not told it was encrypted when we had it sent out. We got the image back and here we are.

 

[Sky-Knight]

I found a bootable disk for Symantec 10.3.0 and it is trying to decrypt it. Based on what you guys are saying it does not sound hopeful. No harm in letting it run

Yeah no harm in trying... and it might work. It all depends on how the encryption is integrated with the filesystem.

 

[Alexey]

Is not good enough. Encryption requires ALL blocks be intact if anything is damaged the entire encryption block/file/drive is lost. If you have any mangled blocks then you are wasting your time. It’s mathematically IMPOSSIBLE to recover the data.

No, not really. Why would it? At least, in a general case, it does not. There is a significant subset of algorithms that chain the encryption of the next block to the data in the previous block, but they are not used when random access is required.

See, if you have 10 blocks, and you need to decode the previous 8 to decode block number 9, that may be okay. However, if you have a 10 TB encrypted unit, and you need to access something at the end and the algorithm requires you to decrypt all the preceding 9 TB, it is a no-go.

This is why in storage, both with encryption and with compression, the data is split into small (think 64KB or 128KB) processing units and these are encrypted (or compressed) independently. In case one of the units is damaged, the content of this unit is lost, but all the other units still can be decoded.

 

[lcoughey]

Seriously, most of your posts just seem to be lecturing people. Did you take the time to read the thread?

yes. in fact, we paid a professional to do the image. We were not told it was encrypted when we had it sent out. We got the image back and here we are.

I did not lecture.. just asked. Amazingly enough, I getots of work from those who think that the clone isn't good enough and they try to decrypt the source.

Your post saying you were decrypting did not specify on which drive.

Sorry to have offended.

 

[300DDR]

You do not need 100% of all sectors to decrypt most (or all?) encrypted drives. The "key sector" of the drive needs to have been recovered though for a password to work. For Symantec/PGP whole disk encryption (perhaps depending on the version), you can use a recovery key file ("SDB" file) to decrypt using a boot cd.

The knowledgebase article I have saved is no longer valid/available online. But here's a copy/paste of what I do:

1. Start your computer with the BartPE CD/DVD. This loads the Endpoint Encryption interface.
2. Click Go, Programs, EEPC WinTech.
3. When prompted, type in the access code, then click OK.
4. From the main menu click EEPC, then select Authenticate from Database.
5. Select the computer's SDB file, then click OK.
6. From Select Machine, select the correct computer name.
7. From the main menu click Workspace and select Open Workspace.
8. From the menu Workspace select Load From Sectors.
9. In the Load sector window enter the start sector to use for decryption in the workspace (memory), this can verify if the key is correct. Usually sector 63 after decryption would show readable content. *Could be 2048
10. In the sector count section, type in the number of sectors that need to be read after the start sector. This is usually 1.
11. Select from the Workspace menu the option Decrypt Workspace to decrypt the read sectors in the memory.
    NOTE: If there is readable data showing the key loaded is correct, then you can proceed to the next step; otherwise the read SDB file may contain the incorrect key and decrypting/removing the encryption may damage the data on the hard disk.
12. From the main menu, click EEPC, and then select Remove EEPC. This decrypts the drive and removes the boot sector
13. 
    
14. *** IF that doesn’t work, try Drive: Crypt Sectors: enter encrypted region, decrypt

--

The above instructions are basically a last resort when entering password normally in PGP Desktop doesn't work.

 

[pcpete]

I am using the iso found on this page to decrypt it. As of this morning it has gotten through 79%. It is looking good so far

 

[pcpete]

the drive decrypted perfectly

 

[NviGate Systems]

Now tell your client to burn Symantec and NEVER use it again.